The rapid rise of account-to-account (ACH) payments has opened new possibilities for hemp and THC e‑commerce merchants facing ongoing payment card restrictions. However, as ACH volumes grow, fraud threats are evolving—and in response, Nacha has unveiled an aggressive, multi-phased risk management package set to transform ACH fraud compliance between 2025 and 2026.
This post takes a deep dive into the details and implications of these changes—focusing on what hemp/THC e‑commerce merchants, payment service providers, and compliance teams must know to stay ahead. We’ll explore the high points of the coming rules, practical steps for aligning your workflows, and why onboarding, return rates, and third-party provider diligence matter more than ever.
The Regulatory Backdrop: Why Nacha Is Tightening ACH Fraud Controls
The Automated Clearing House (ACH) is the backbone of digital bank-to-bank payments in the U.S. For hemp and THC online merchants, ACH offers a critical payment lifeline—especially given restrictions from major card brands. Yet, with this growth comes risk. Fraud by way of unauthorized debits, account takeovers, and synthetic identities has climbed sharply, impacting consumers and undermining network trust.
Nacha’s 2025–2026 risk management package is a direct response, seeking to:
- Reduce successful fraud attempts at the network level
- Shorten windows for detection and fund recovery after fraud
- Create more consistent, proactive oversight among all ACH network participants
Key Timeline:
- March 20, 2026: First phase of new fraud monitoring requirements become effective for ODFIs (Originating Depository Financial Institutions)
- June 19, 2026: Additional fraud monitoring obligations take effect, applying to all Originators, TPSPs (Third-Party Service Providers), and TPSs (Third-Party Senders)
Source: Nacha New Rules Hub
Expanded Fraud Monitoring: Who Is Responsible?
The new risk management rules greatly expand who is accountable for fraud monitoring and mitigation:
- Originators: Entities that initiate ACH entries (i.e., hemp/THC merchants and marketplaces)
- ODFIs: Banks/funders sending entries into ACH
- TPSPs/TPSs: Payment gateways, platforms, and providers handling transactions on behalf of Originators
All parties must adopt risk-based monitoring tactics to detect entries initiated under false pretenses, with a particular eye on unauthorized debits—all within tighter thresholds and timelines.
Practical Implications:
- If you run a hemp/THC e-commerce site, you must be ready to demonstrate ongoing monitoring of all outbound ACH activity. The same applies to any payment solution, gateway, or provider serving your business.
Rule Highlights: What’s Changing in 2025–2026?
1. Proactive, Layered Fraud Monitoring
Prior versions of Nacha’s rules largely left fraud surveillance to the ODFIs. Now, all Originators and their vendors must implement proactive fraud controls—including risk monitoring attuned to transaction type, merchant vertical (including hemp/THC), and return rate history.
- Monitoring can’t be “checklist-only”—rules require risk-based, dynamic review of anomalous activity, synthetic identities, and velocity/frequency patterns (e.g., spikes in micro-transactions or unauthorized WEB debits).
- Merchants with high average transaction values or subscription models need to be especially vigilant, as return-rate thresholds will be fine-tuned for these contexts.
2. Tighter Return-Rate Thresholds and Dispute Handling
Nacha is expected to refine permissible return-rate levels—especially for high-risk, high-dispute contexts like recurring subscriptions and hemp/THC retail. Merchants must:
- Monitor and reduce their unauthorized return rates (<0.5% for most; <3% overall returns as informal guidance)
- Maintain robust dispute escalation, documentation, and refund policies to resolve true consumer complaints and preempt fraud claims
- Address excessive return rates proactively to avoid fines, monitoring, or potential loss of ACH access
Tip: Integrate customer support and refund automation so disputes are resolved before they hit the ACH network.
3. Enhanced WEB Debit Requirements & Micro-Entry Controls
The crackdown specifically targets “WEB debits”—ACH entries authorized via the internet/mobile. Nacha’s updates require:
- Multi-layer account validation for all new WEB debit authorizations (leveraging bank account validation and MFA where practical)
- Special controls and monitoring for micro-debits/micro-credits used to validate account ownership
- Documentation to show you’ve performed these checks on all customers/accounts
Resources: J.P. Morgan on 2026 Nacha Rule Changes
4. Due Diligence on ACH Gateways and Third-Party Providers
Nacha is placing greater diligence expectations on anyone facilitating ACH on behalf of merchants—including payment gateways and TPSPs serving cannabinoid commerce. ODFIs must:
- Verify that partner gateways and platforms have robust fraud controls, clear KYC (Know Your Customer) and UBO (Ultimate Beneficial Ownership) processes, and are not servicing sanctioned or high-risk parties without proper controls.
- Perform annual diligence reviews; require clear, up-to-date documentation and risk disclosures.
Takeaway: Hemp/THC merchants should vet their ACH payment providers—requesting evidence of compliance and readiness for these new rules.
5. Aligning KYC/Onboarding With Hemp-Specific Compliance
Recent guidance from FinCEN (including BOI—Beneficial Ownership Information—regulations) means onboarding for hemp e-commerce must coordinate:
- State/federal license validation
- Certificate of Analysis (COA) for cannabinoid content
- Ongoing monitoring for regulatory status and adverse enforcement actions
ACH onboarding/KYC flows should be tuned to these risks, with clear documentation to present to bank partners and auditors.
For details on BOI and KYC alignment, see FinCEN’s 2025 BOI Guidance and FinCEN on hemp onboarding.
Steps for Hemp/THC Merchants and Providers: What To Do Now
1. Start Dialogue With Your ACH Bank, Gateway, and Compliance Teams
- Confirm readiness timelines and audit your payment stack for upcoming requirements.
2. Evaluate and Tighten Internal Fraud Controls
- Deploy velocity limits, repeat customer analysis, account validation, and transaction monitoring.
3. Address Subscription and High-Risk Return Challenges
- Build clear, transparent refund and cancellation flows to reduce disputes.
- Monitor subscription cohorts for spiking return/chargeback rates.
4. Document Your Policies & Procedures
- Update and retain all written policies for onboarding, fraud detection, account closure, and customer communications.
5. Vet All Third-Party Providers
- Demand evidence of compliance and controls from every payment/ACH vendor in your stack.
What Happens If You Don’t Comply?
The consequences of failing under Nacha’s new rules are serious:
- Ongoing monitoring by funding banks (ODFIs) may result in account holds or risk downgrades.
- Repeated excessive returns or ignored fraud signals may trigger network penalties, industry blacklisting, or loss of ACH access.
- Substantial fines or even litigation for willful negligence.
As always, these guidelines are informational and do not constitute legal advice—consult compliance professionals for tailored strategies.
Looking Ahead: Cementing Cannabis Payment Compliance in 2025–2026
With card rails likely to remain restricted for hemp and THC e-commerce, ACH is both a necessity and a duty. The new Nacha rules will demand:
- Proactive fraud management by every player in the merchant/provider/bank chain
- Higher transparency, clearer documentation, and faster intervention when fraud or excessive returns emerge
- Diligence to stay in sync with FinCEN, state-level licensing, and the evolving compliance landscape
To stay compliant—and competitive—cannabis e-commerce leaders must own their ACH risk strategy before 2026 arrives.
To access cannabis payment compliance checklists, onboarding templates, and deep-dive regulatory guides, turn to CannabisRegulations.ai for unmatched resources and support.
